[jira] [Updated] (QPID-7323) [CVE-2016-4974] [Java Client] add whitelisting of trusted content for deserialization from ObjectMessage

Fri, 01 Jul 2016 18:19:39 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-7323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robbie Gemmell updated QPID-7323:
---------------------------------
    Description: 
When applications call getObject() on a consumed JMS ObjectMessage they are 
subject to the behaviour of any object deserialization during the process of 
constructing the body to return.

This improvement adds the new configuration options to whitelist trusted 
content permitted for deserialization. When so configured, attempts to 
deserialize input containing other content will be prevented.

  was:Make improvements to the ObjectMessage implementation

        Summary: [CVE-2016-4974] [Java Client] add whitelisting of trusted 
content for deserialization from ObjectMessage  (was: [Java Client] 
Improvements to the ObjectMessage implementation)

Two new URI options were added:

*objectMessageClassHierarchyWhiteList* A comma separated list of class/package 
names that should be allowed when deserializing the contents of a JMS 
ObjectMessage, unless overridden by the blackList. The names in this list are 
not pattern values, the exact class or package name must be configured, e.g 
"java.util.Map" or "java.util". Package matches include sub-packages. Default 
is to allow all.

*objectMessageClassHierarchyBlackList* A comma separated list of class/package 
names that should be rejected when deserializing the contents of a JMS 
ObjectMessage. The names in this list are not pattern values, the exact class 
or package name must be configured, e.g "java.util.Map" or "java.util". Package 
matches include sub-packages. Default is to prevent none.

> [CVE-2016-4974] [Java Client] add whitelisting of trusted content for 
> deserialization from ObjectMessage
> --------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7323
>                 URL: https://issues.apache.org/jira/browse/QPID-7323
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Client
>            Reporter: Keith Wall
>            Assignee: Lorenz Quack
>             Fix For: qpid-java-6.0.4, qpid-java-6.1
>
>
> When applications call getObject() on a consumed JMS ObjectMessage they are 
> subject to the behaviour of any object deserialization during the process of 
> constructing the body to return.
> This improvement adds the new configuration options to whitelist trusted 
> content permitted for deserialization. When so configured, attempts to 
> deserialize input containing other content will be prevented.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to